All-in-one printers can be used to control infected air-gapped systems from far away

Lucian Constantin |
Oct. 17, 2014

Isolating computers from the Internet, called "air gapping," is considered one of the best ways to defend critical systems and their sensitive data from cyberattacks, but researchers have found that can be undermined using an all-in-one printer.

Isolating computers from the Internet, called "air gapping," is considered one of the best ways to defend critical systems and their sensitive data from cyberattacks, but researchers have found that can be undermined using an all-in-one printer.

Renowned cryptographer Adi Shamir, co-inventor of the widely used RSA cryptographic system, and researchers Yuval Elovici and Moti Guri from Ben-Gurion University in Israel recently set out to find methods of controlling malware running on air-gapped systems, subverting the goal of preventing Internet-based attacks. Theoretically, if a malicious program is installed on an air-gapped computer by an unsuspecting user via, say, a USB thumb drive, attackers should have a hard time controlling the malicious program or stealing data through it because there is no Internet connection.

But the researchers found that if a multifunction printer is attached to such a computer, attackers could issue commands to a malicious program running on it by flashing visible or infrared light at the scanner lid when open. Shamir presented the unusual attack, which he dubbed Scangate, Thursday during his keynote at the Black Hat Europe security conference in Amsterdam.

The researchers observed that if a source of light is pointed repeatedly at the white coating on the inside of the scanner's lid during a scanning operation, the resulting image will have a series of white lines on darker background. Those lines correspond to the pulses of light hitting the lid and their thickness depends on the duration of the pulses, Shamir explained.

Using this observation the researchers developed Morse code that can be used to send pulses of light at different intervals and interpret the resulting lines as binary data — 1s and 0s. Malware running on an air-gapped system could be programmed to initiate a scanning operation at a certain time — for example, during the night — and then interpret the commands sent by attackers using the technique from far away.

Shamir estimated that several hundred bits of data can be sent during a single scan. That's enough to send small commands that can activate various functionality built into the malware.

The researchers successfully tested the attack from 200, 900 and 1,200 meters against a computer and printer located in a building in Beersheba, Israel, where EMC, Oracle and other big companies have research centers. They used a laser to flash visible light at the window of the office where the scanner was located, illuminating the room.

Using a more powerful laser could produce reliable results from up to 5 kilometers away, according to Shamir. An attacker would likely use infrared light because it's invisible to the naked eye, but the researchers only tested with infrared light over a short distance because using a high-powered infrared laser can be harmful to people's eyesight.